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DETAILED ACTION 
Response to Amendment 

1 . In response to communications filed on 01/16/2008, applicant amends claims 1 , 
1 1 and 21 . The following claims, claims 1-30 are presented for examination. 

Response to Remarks/Arguments 

2. Applicant's arguments, pages 11-13, with respect to the rejection of claims 1 -30 
have been fully considered but they are not persuasive. 

2.2 In response to Applicant argument that the Douglas in view of Maier references 
do not teach or suggest support apparatus arrange separately from the intrusion 
detection system, the Examiner respectfully disagrees citing column 2 lines 29-58 which 
recites "detects attacks targeted at the host system on which it is installed, e.g. on a 
web server 1 , a domain name server, a mail server etc." and "monitors logs of 
applications running on the host ... monitor system files via its file integrity checking 
feature ... notifying the IDS administrator when key system and security files have been 
accessed, modified or even deleted" which clearly distinguishes the separation between 
the servers and host systems. 

Claim Rejections - 35 USC § 103 

3. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed 
or described as set forth in section 102 of this title, if the differences between the 
subject matter sought to be patented and the prior art are such that the subject 
matter as a whole would have been obvious at the time the invention was made 
to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was 
made. 

Claims 1-30 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Douglas et al. (US Patent No. 7,152,242 B2) and further in view of Maier et al. 
(US Patent No. 5,625,815). 

Regarding claims 1.11 and 21 , Douglas , discloses an IDS log analysis support 
apparatus, method and program comprising: a log collection section that collects 
a log of an intrusion detection system that is connected to a telecommunication 
network (col. 2 lines 17-20 - "host-based [intrusion detection system IDS sensor 
(HIDS)that detects attacks targeted at the host system on which it is installed, 
e.g. on a web server, a domain name server, a mail server, etc."); and a log 
analysis section that obtains statistics of the logs managed by the database and 
analyses the statistics, where the support apparatus is arrange separately from 
the IDS (col. 2 lines 29-35 - "detects attacks by monitoring the output to the 
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system and audit logs"). 

Douglas is silent in disclosing a database that stores and manages logs 
collected by the log collection section, however Maier et al. does disclose 
such a database. It would have been obvious at the time of the invention, 
for one of ordinary skill in the art to modify the host based intrusion 
detection system of Douglas to make use of a database as this is an 
efficient means of managing a large quantities of data, such as intrusion 
detection logs and would benefit the invention by providing state of the art 
data management. 

Regarding claims 2. 12 and 22 . Douglas , discloses the IDS log analysis support 
apparatus, method and program according to claim 1 , wherein the log analysis 
section comprises an internal and external similarity analysis device that 
sequentially compares an inward log in the logs, which is a log of accesses made 
from a non-protected subject side of the intrusion detection system to a protected 
subject side of the Intrusion detection system, with an outward log In the logs, 
which Is a log of accesses made from the protected subject side to the non- 
protected subject side, and sequentially calculates a degree of similarity that 
shows an extent to which the inward log and the outward log match based on the 
result of the comparison, and determines whether or not an abnormality has 
occurred based on the degree of similarity (col. 2 lines 29-58 - "detects attacks 
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targeted at the host system on which it is installed, e.g. on a web server 1 , a 
domain name server, a mail server etc." and "monitors logs of applications 
running on the host ... monitor system files via its file integrity checking feature 
... notifying the IDS administrator when key system and security files have been 
accessed, modified or even deleted."). 

Regarding claims 3. 13 and 23 . Douglas , does not explicitly disclose the IDS log 
analysis support apparatus according to claim 1 , wherein the log analysis section 
comprises an access country analysis device that, taking as a subject to be 
detected a name of a country to which belongs a transmission source of an 
inward log in the logs, which is a log of accesses made from a non-protected 
subject side of the intrusion detection system to a protected subject side of the 
intrusion detection system, allocates a ranking to occurrence frequencies of 
country names, and determines that an abnormality has occurred when there is a 
change in the ranking of the country names that are normally detected, however 
it would have been obvious, to one of ordinary skill in the art, at the time of the 
invention to modify the disclosed "IP Address" of Douglas to be translated / 
traced to the originating country. The benefit of such modification would be to 
extend the usefulness of data that is already being collected by the invention to 
provide more information of the source of an attack (Rejected under the same 
rationale as claims 2, 12, 22, column 13 lines 51-67 and column 14 lines 1-10). 
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Regarding claims 4. 14 and 24 . Douglas , does not explicitly disclose the IDS log 
analysis support apparatus according to claim 1, wherein the log analysis section 
comprises an access country analysis device that, taking as a subject to be 
detected a name of a country to which belongs a transmission source of an 
inward log in the logs, which is a log of accesses made from a non-protected 
subject side of the intrusion detection system to a protected subject side of the 
intrusion detection system, determines that an abnormality has occurred when 
there is an increase in the occurrence frequency of a country name that is not 
normally detected, however it would have been obvious, to one of ordinary skill in 
the art, at the time of the invention to modify the disclosed "IP Address" of 
Douglas to be translated / traced to the originating country. The benefit of such 
modification would be to extend the usefulness of data that is already being 
collected by the invention to provide more information of the source of an attack 
(Rejected under the same rationale as claims 2, 12, 22, col. 13 lines 51-67 and 
col. 14 lines 1-10). 

Regarding claims 5. 15 and 25 , Douglas , does not explicitly disclose the IDS log 
analysis support apparatus according to claim 1 , wherein the log analysis section 
comprises an access country analysis device that, taking as a subject to be 
detected a name of a country to which belongs a transmission destination of an 
outward log in the logs, which is a log of accesses made from a protected subject 
side of the intrusion detection system to a non-protected subject side of the 
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intrusion detection system, allocates a ranking to occurrence frequencies of 
country names, and determines that an abnormality has occurred when there is a 
change in the ranking of the country names that are normally detected, however 
it would have been obvious, to one of ordinary skill in the art, at the time of the 
invention to modify the disclosed "IP Address" of Douglas to be translated / 
traced to the originating country. The benefit of such modification would be to 
extend the usefulness of data that is already being collected by the invention to 
provide more information of the source of an attack (Rejected under the same 
rationale as claims 2, 12, 22, col. 13 lines 51-67 and col. 14 lines 1-10). 

Regarding claims 6. 16 and 26 . Douglas , discloses IDS log analysis support 
apparatus according to claim 1 , wherein the log analysis section comprises an 
access country analysis device that, taking as a subject to be detected a name of 
a country to which belongs a transmission destination of an outward log, which is 
a log of accesses made from a protected subject side of the intrusion detection 
system to a non-protected subject side of the intrusion detection system that are 
in the logs, determines that an abnormality has occurred when there is an 
increase in the occurrence frequency of a country name that Is not normally 
detected, however it would have been obvious, to one of ordinary skill in the art, 
at the time of the invention to modify the disclosed "IP Address" of Douglas to be 
translated / traced to the originating country. The benefit of such modification 
would be to extend the usefulness of data that is already being collected by the 
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invention to provide more information of the source of an attack (Rejected under 
the same rationale as claims 2, 12, 22, col. 13 lines 51-67 and col. 14 lines 1-10). 

Regarding claims 7. 17 and 27 . Douglas , discloses the IDS log analysis support 
apparatus according to claim 1 , wherein the log analysis section comprises a 
ratio analysis device that compares a short term number of events, which is the 
number of a predetermined event contained in a predetermined unit time period 
in the logs, with an average value of a short term number of events for a plurality 
of the unit time periods, and determines whether or not an abnormality has 
occurred based on a ratio of the short term number of events relative to the 
average value (col. 4 lines 61-67 and col. 5 lines 1-8 - "when a configured time 
interval elapses, a new instance of the EDE module is then started providing the 
previous instance has terminated"). 

Regarding claims 8. 18 and 28 . Douglas . Is silent in disclosing the IDS log 
analysis support apparatus according to claim 1 , wherein the log analysis section 
comprises a threshold learning device that calculates a short term number of 
events, which is the number of a predetermined event contained in a 
predetermined unit time period in the logs, and an average value of a short term 
number of events for a plurality of the unit time periods, and a standard deviation 
value of a short term number of events for a plurality of the unit time periods, and 
determines whether or not an abnormality has occurred using a result obtained 
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by dividing a difference between the short term number of events of a subject 
being investigated and the average value by the standard deviation value, 
however it would have been obvious, to one of ordinary skill in the art, at the time 
of the invention to modify the disclosed module callback functionality in which 
modules are started and terminated according to event detections and execute 
for preset time pehods (col. 4 lines 61-67 and col. 5 lines 1-8 - "when a 
configured time interval elapses, a new instance of the EDE module is then 
started providing the previous instance has terminated"). 

Regarding claims 9. 19 and 29 . Douglas , discloses the IDS log analysis support 
apparatus according to claim 1, wherein a plurality of intrusion detection systems 
are connected to the telecommunication network, and the plurality of intrusion 
detection systems each have a different protected subject, and the log analysis 
section comprises an IDS comparison device that compares a monitored profile, 
which is characteristics of logs of a monitored intrusion detection system, which 
is one intrusion detection system from among the plurality of intrusion detection 
systems, with an integrated profile, which is characteristics of logs of all the 
intrusion detection systems other than the monitored intrusion detection system 
from among the plurality of intrusion detection systems, and determines that an 
abnormality has occurred when the difference between the monitored profile and 
the integrated profile is equal to or greater than a predetermined value (col. 4 
lines 31-37 - "scheduled modules (modules that are expected to terminate and 
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start again at fixed intervals), the AE monitors the schedule and starts these 
modules at the proper time"). 

Regarding claims 10. 20 and 30 . Douglas , discloses the IDS log analysis support 
apparatus according to claim 9, wherein the IDS comparison device comprises a 
variable state comparison device that compares a vahable state that 
accompanies an elapsed time of the monitored profile with a variable state that 
accompanies an elapsed time of the integrated profile, and determines that an 
abnormality has occurred when the difference between the variable states Is 
equal to or greater than a predetermined value (col. 4 lines 61-67 and col. 5 lines 
1-8 - "when a configured time interval elapses, a new instance of the EDE 
module is then started providing the previous instance has terminated"). 
Conclusion 

4. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply Is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action Is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, liowever, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Chinwendu C. Okoronkwo whose telephone number is 
(571 ) 272 2662. The examiner can normally be reached on MWF 9:30 - 7:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Nasser Moazzami can be reached on (571) 272 4195. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 
273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

/C. C. 0.1 

Examiner, Art Unit 2136 
April 3, 2008 
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